About Upgrade Paths: Can I Upgrade?

Your upgrade path is a detailed plan for what you will upgrade and when. In general, you upgrade the Firepower Management Center, then its managed devices. However, in some cases you may need to upgrade devices first. If you have assessed your deployment—that
is, you know what you have and what you want—you are ready to build your upgrade path.

Tip

Especially in larger deployments where you must alternate FMC and device upgrades, upgrade paths that require intermediate versions can be time consuming. To save time, you can reimage
older devices instead of upgrading. First, remove the devices from the FMC. Then, upgrade the FMC, reimage the devices, and re-add them to the FMC.

Answer 'Yes' to Two Important Questions

You must answer 'yes' to both of these questions, every time you upgrade either an FMC or a device:

Is Direct Upgrade Possible?

If a direct upgrade from your current to your target version is not possible, your upgrade path must include either intermediate
versions, or strategic reimaging. To patch Firepower, you must be running the base major version. You cannot upgrade directly
to a patch from an previous major version.

For major upgrades, this table summarizes upgrade capabilites for Firepower Management Centers and their managed devices. Find your current major version in the first column, then read across to determine if a direct
upgrade is possible to your target version. For upgrade paths for each appliance type see the upgrade chapters: Upgrade Firepower Appliances.

Table 1. Firepower Direct Upgrade Support

Current Version

Target Version: Direct Upgrade Supported

to6.4

6.3

6.2.3

6.2.2

6.2.1

6.2

6.1

6.0.1

6.0

from 6.3

Yes

—

—

—

—

—

—

—

—

6.2.3

Yes

Yes

—

—

—

—

—

—

—

6.2.2

Yes

Yes

Yes

—

—

—

—

—

—

6.2.1

Yes

Yes

Yes

Yes

—

—

—

—

—

6.2

Yes

Yes

Yes

Yes

—

—

—

—

—

6.1

Yes†

Yes

Yes

—

—

Yes

—

—

—

6.0.1

—

—

—

—

—

—

Yes

—

—

6.0

—

—

—

—

—

—

—

Yes

—

5.4.x

—

—

—

—

—

—

—

—

Yes*

* You must be running at least Version 5.4.0.2/5.4.1.1 to upgrade to Version 6.0.

† You cannot upgrade a Firepower 4100/9300 series device from Version 6.1 directly to Version 6.4. We recommend you use Version
6.2.3 as an intermediate version.

Can I Maintain FMC-Device Version Compatibility?

Before you upgrade the Firepower Management Center, make sure the upgraded FMC will be able to manage its current devices. If it will not be able to, upgrade the devices first.
You cannot upgrade a device past the FMC's own major version.

Note that you can patch a device without patching the FMC, and vice versa. However, we strongly recommend you upgrade both. This allows you to take advantage of new features and bug fixes.

This table lists major FMC versions, and the major versions of devices they can manage. Find your current major version in
the first column, then read across to determine which devices you can manage.

Table 2. FMC-Device Version Compatibility

FMC Version

Device Version

6.4

6.3

6.2.3

6.2.2

6.2.1

6.2.0

6.1

6.0.1

6.0

5.4.1

5.4.0

6.4

Yes

Yes

Yes

Yes

Yes

Yes

Yes

—

—

—

—

6.3

—

Yes

Yes

Yes

Yes

Yes

Yes

—

—

—

—

6.2.3

—

—

Yes

Yes

Yes

Yes

Yes

—

—

—

—

6.2.2

—

—

—

Yes

Yes

Yes

Yes

—

—

—

—

6.2.1

—

—

—

—

Yes

Yes

Yes

—

—

—

—

6.2.0

—

—

—

—

—

Yes

Yes

—

—

—

—

6.1

—

—

—

—

—

—

Yes

Yes

Yes

Yes*

Yes*

6.0.1

—

—

—

—

—

—

—

Yes

Yes

Yes*

Yes*

6.0

—

—

—

—

—

—

—

—

Yes

Yes*

Yes*

5.4.1

—

—

—

—

—

—

—

—

—

Yes

Yes

5.4.0

—

—

—

—

—

—

—

—

—

—

Yes

* A device must be running at least Version 5.4.0.2/5.4.1.1 to be managed by a Version 6.0, 6.0.1, or 6.1 FMC.

Where Do I Begin?

If you are not sure how to start planning your upgrade path, refer to your deployment assessment and find your platforms in
this table.

Table 3. Beginning a Firepower Upgrade Based on Current Major Version

FMC

Devices

First Upgrade

Details

6.3

6.1 through 6.3

FMC → 6.4

A Version 6.4 FMC can manage devices back to Version 6.1.

6.2.3

6.1 through 6.2.3

FMC → 6.3or 6.4

These FMCs can manage devices back to Version 6.1.

6.2.2

6.1 through 6.2.2

FMC → 6.2.3 or 6.3or 6.4

These FMCs can manage devices back to Version 6.1.

6.2.1

6.1 through 6.2.1

FMC → 6.2.2 or 6.2.3 or 6.3or 6.4

These FMCs can manage devices back to Version 6.1.

6.2

6.1 through 6.2

FMC → 6.2.2 or 6.2.3 or 6.3or 6.4

These FMCs can manage devices back to Version 6.1.

6.1

6.1

FMC → 6.2 or 6.2.3 or 6.3or 6.4

These FMCs can manage devices back to Version 6.1.

5.4 through 6.0.1

Devices → 6.1

You must upgrade devices to Version 6.1 if you plan to upgrade the FMC past Version 6.1.

6.0.1

5.4 through 6.0.1

FMC → 6.1

A Version 6.1 FMC can manage devices back to Version 5.4.

6.0

5.4 through 6.0

FMC → 6.0.1

A Version 6.0.1 FMC can manage devices back to Version 5.4.

5.4

5.4

FMC → 6.0

A 6.0 FMC can manage Version 5.4 devices.

Major Upgrades vs Patches

Major upgrades are more complex and take more time than patches.

Although we recommend you upgrade your entire deployment, you can patch a device without patching the FMC, and vice versa.
Just keep in mind that you cannot fully take advantage of new features and bug fixes until you patch both.

Table 4. Characteristics of Major Upgrades vs Patches

Characteristic

Major Upgrades

Patches

New features and functionality

Include new features and functionality, and may entail large-scale changes to the product.

You can always upgrade to the next major version. You do not have to be running the latest patch to upgrade.

Often, you can skip major versions when upgrading. For details, refer to the supported upgrade path for your platform.

You can only patch within a major version sequence. For example:

Yes: 6.2.0 → 6.2.0.3

No: 6.2.0 → 6.2.3.1

OS upgrades

Likely to have companion operating system upgrades, for devices where you upgrade the OS separately.

Usually do not have companion operating system upgrades, although often you can patch the OS to resolve minor issues.

Freshly Installing

Can be freshly installed/restored.

If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path, you can freshly
install major Firepower releases.

Cannot be freshly installed.

Cisco does not provide installation packages for patches. To run a particular patch, install the major version, then apply
the patch.

Uninstalling

Cannot be uninstalled.

If you need to revert to an earlier version, you must freshly install.

Can be uninstalled.

When you uninstall, either you:

Return to the previously released (but not necessarily installed) patch: Versions 5.4.x to 6.2.2.x

Returns to the appliance's base major version: Version 6.2.3+

Include Companion Upgrades

For some Firepower appliances, you upgrade the operating system or virtual hosting environment separately from the Firepower
software. Major upgrades in particular are likely to have companion operating system upgrades.

You can also upgrade these components without upgrading the Firepower software, and the other way around. For example, an operating system patch may resolve issues unrelated
to the Firepower software. Or, you may want to take advantage of new Firepower features without upgrading your hypervisor.
Just make sure that the target version of the component you do want to upgrade is compatible with the components you are not upgrading.

FXOS Upgrades: Firepower 4100/9300 Chassis

Major Firepower versions have a companion FXOS version for Firepower 4100/9300 chassis. You must be running that companion version of FXOS on the chassis before you upgrade the Firepower software on the logical devices.

ASA Upgrades: ASA with FirePOWER Services

There is wide compatibility between ASA and ASA FirePOWER versions. However, even if an ASA upgrade is not strictly required, resolving issues may require an upgrade to the latest
supported version.

Virtual Hosting Environment Upgrades

Virtual Firepower appliances run in a variety of hosting environments. The Firepower software must remain compatible with
its hosting environment. Your upgrade path depends on compatibility:

Upgrade hosting environment first: For example, if you are running NGIPSv Version 5.4.x on VMware ESXi 5.0, you must upgrade VMware ESXi to Version 5.1 or Version 5.5 before you upgrade NGIPSv to Firepower 6.0.

Upgrade Firepower software first: For example, if you are running FTDv Version 6.1.x on VMware ESXi 6.0, upgrade the Firepower
software to Version 6.2.3 before you upgrade VMware ESXi to Version 6.5.

Identify Preinstallation Packages

For some upgrades on some platforms, we provide a preinstallation package or hotfix that optimizes the upgrade, enables specific
upgrade functions, or fixes upgrade issues.

Preinstallation packages and hotfixes are available on the Cisco Support & Download site in the same location as the upgrade and installation packages. Just as with regular upgrade packages, use the System > Updates page on the FMC to run a preinstall or hotfix. We recommend you do this just before you upgrade.

Identify When to Add New Devices

If your upgrade path includes adding a new device, when you add it depends on the device type:

Physical device: Determine which Firepower version the device is currently running. Add the device as soon as you can, then
use the Firepower Management Center to upgrade the new device with the rest of your deployment. Do not upgrade your FMC past the point where it can no longer
manage the out-of-the-box device.

Virtual device: Create after you upgrade the FMC to its target version. When you add a new virtual device, you should never
have to perform a major upgrade, only patches.

Identify Interruptions in Traffic Flow and Inspection

You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

When a device is rebooted.

When you upgrade the operating system or virtual hosting environment on a device.

When you upgrade the Firepower software on a device, or uninstall a patch.

When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive, IPS, firewall,
and so on) determine the nature of the interruptions. We strongly recommend performing any upgrade or uninstall in a maintenance window or at a time when any interruption will have the least
impact on your deployment.